Only let owners insert to database (allow / deny)

Hey guys!

I’m working for the perfect solution for my allow / deny rules. For my project, users who are logged in are able to create a post to the database where everyone can see it. When other users can see it, it should only be the owner of the document that can insert, update and delete that post. How do i check for that? I use Quickform to insert.

For my example, i’ve made this:

Posts.allow({ insert: function(userId, doc) { return doc && doc.userId === userId; }, update: function(userId, doc) { return doc.userId === userId; }, remove: function(userId, doc) { return doc.userId === userId; } });

But this code returns me an error whenever i want to create a new post. So i’m not allowed to either insert, update or delete any posts, not even my own. Can anyone help me with that?

Thanks in advance!

The Meteor Guide says to avoid using allow/deny rules, use methods instead

Sorry for not helping you with your particular implementation problem, I’m just dropping this best practice here, so maybe you’ll just change your app architecture.

1 Like

Thank you for the quick reply!

I’ll take a look at it now :slight_smile:

“Perfect” is unfortunately a word that doesn’t truly work without a context. For one, a perfect solution is the one which gives the client the ultimate user experience. For another, a perfect solution will be the most secure one. And then, there’s always the third way of “perfect” meaning the optimal compromise between both.

I highly recommend you doing all your inserts, updates and removes via Meteor.methods, on the server instead of the client, with a client stub to keep the user experience nice with optimistic UI.

That’s recommended also in the official guide http://guide.meteor.com in the security chapter. One of the subchapters is even called “Avoid allow/deny”.

Edit: But I see that @josmardias wrote it already in the meanwhile.

1 Like

Thank you guys for the quick reply! :slight_smile:

Read also an older, but still up to date article about this issue: https://www.discovermeteor.com/blog/meteor-methods-client-side-operations/

I now get the point of not using allow / deny rules for client-side users because it’s all or nothing and i should instead use a Method. But maybe it’s just me, but i can’t seem to find an example of a Method, where they actually use, let’s say insert.

Let’s say i want users to create a post, where they insert their location and description on the post. When they click “Submit” to insert the new post to the database, would this do the trick then? @josmardias @brajt

`Template.post.events({
  'click .submit': function (event) {
    event.preventDefault();
    Posts.insert({location: Text1, desc: Text2}, {
      $addToSet: {author: Meteor.userId()}
    });
  }
});`

(Written here in the editor and not tested for mistakes)

Template.post.events({
  'click .submit': function (event) {
    event.preventDefault();
    Meteor.call('addSomething', Text1, Text2, (error, result) => {
      if(error) {
        console.log "shit happened";
      } 
      else {
        console.log "good job!";
      }
    )};
  }
});

Meteor.method({
  addSomething: function (Text1 = 'defaultValue', Text2 = 'defaultValue') {
    //do your security magic here - check parameters, check user permissions etc
    //do your Post.insert() here
  }
});
1 Like

Thank you! It makes total sence :slight_smile: